b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                While Efforts Are Ongoing to Deploy a Secure\n                Mechanism to Verify Taxpayer Identities, the\n                Public Still Cannot Access Their Tax Account\n                         Information Via the Internet\n\n\n                                      September 25, 2013\n\n                            Reference Number: 2013-20-127\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                    HIGHLIGHTS\n\n\nWHILE EFFORTS ARE ONGOING TO                           in Release 1 of the eAuthentication application,\nDEPLOY A SECURE MECHANISM TO                           which will be addressed in future releases.\nVERIFY TAXPAYER IDENTITIES, THE                        Finally, TIGTA noted that total cost information\nPUBLIC STILL CANNOT ACCESS THEIR                       for the project is not readily obtainable for\n                                                       project management.\nTAX ACCOUNT INFORMATION VIA THE\nINTERNET                                               WHAT TIGTA RECOMMENDED\n                                                       TIGTA recommended that the IRS reprioritize its\nHighlights                                             efforts to develop and implement applications\n                                                       that both serve the taxpayer and comply with\nFinal Report issued on September 25,                   RRA 98 requirements. TIGTA also\n2013                                                   recommended that the IRS perform complete\n                                                       capacity testing of the eAuthentication\nHighlights of Reference Number: 2013-20-127            application prior to Release 2 and continue its\nto the Internal Revenue Service Chief                  efforts in upgrading the reporting functionality of\nTechnology Officer.                                    the eAuthentication application. Finally, TIGTA\n                                                       recommended that the IRS coordinate to\nIMPACT ON TAXPAYERS                                    develop a formal system to provide reports of\n                                                       actual costs received and accepted by\nWhile the IRS Restructuring and Reform Act of\n                                                       Contracting Officer Representatives.\n1998 (RRA 98) required the IRS to develop\nprocedures to allow taxpayers filing returns           In their response, IRS management agreed with\nelectronically to review their accounts online by      three of our four recommendations. The IRS\nDecember 31, 2006, the IRS did not meet this           plans to prioritize release of applications that\nrequirement. Allowing taxpayers to securely            meet the requirements of RRA 98, complete\naccess tax information online will modernize           performance and capacity testing as part of\nhow the IRS interacts with taxpayers, allow for        Release 2 of the eAuthentication application,\nfaster response to queries from the general            and to increase reporting functionality in\npublic, and thereby greatly reduce taxpayer            Release 2 of the eAuthentication application.\nburden.\n                                                       Although IRS management agreed with the\nWHY TIGTA DID THE AUDIT                                intent and spirit of the fourth recommendation,\nThis audit was initiated at the request of the IRS     they disagreed with our finding, which they\nOversight Board to evaluate the IRS\xe2\x80\x99s progress         consider an isolated example and therefore no\nin providing taxpayers with secure online access       further action is necessary. During the audit, we\nto their tax account information.                      found that the existing procurement system\n                                                       cannot track sufficient detail to the project cost\nWHAT TIGTA FOUND                                       levels for contracts serving multiple projects,\n                                                       such as the eAuthentication project. As such,\nThe IRS successfully implemented Release 1 of\n                                                       we believe that this is not an isolated occurrence\nthe eAuthentication application during Fiscal\n                                                       and that it needs to be addressed to ensure\nYear 2012, which allowed a small number of\n                                                       actual project costs can be readily identified and\ntaxpayers to securely verify their identities with\n                                                       tracked for management and decision making\nthe IRS and participate in the eTranscripts for\n                                                       purposes.\nBanks application. While several applications\nhave been developed and implemented by the\nIRS, none of these applications meet the RRA\n98 requirements. However, TIGTA also\ndetermined that required capacity testing was\nnot adequately completed to ensure that the\neAuthentication application can support the\nexpected number of users at any given time and\nnoted deficiencies with the reporting functionality\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 25, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 While Efforts Are Ongoing to Deploy a Secure\n                             Mechanism to Verify Taxpayer Identities, the Public Still Cannot\n                             Access Their Tax Account Information Via the Internet\n                             (Audit # 201220003)\n\n This report presents our review of the Internal Revenue Service\xe2\x80\x99s efforts to implement a secure\n mechanism to verify taxpayer identities and allow the public to access their tax account\n information via the internet. This audit was included in our Fiscal Year 2012 Annual Audit Plan\n addresses the major management challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included in Appendix IV. Copies of this\n report are also being sent to the IRS managers affected by the report recommendations.\n If you have any questions, please contact me or Alan Duncan, Assistant Inspector General for\n Audit (Security and Information Technology Services).\n\n\n Attachment\n\x0c                         While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                          Verify Taxpayer Identities, the Public Still Cannot Access\n                               Their Tax Account Information Via the Internet\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Applications Were Created to Increase Online Taxpayer\n          Functionality; However, These Applications Do Not Meet\n          the Criteria of the Restructuring and Reform Act of 1998 ........................... Page 4\n                    Recommendation 1:.......................................................... Page 5\n\n          Release 1 of the eAuthentication Application Was\n          Successfully Deployed in Fiscal Year 2012 ................................................. Page 5\n          Complete Capacity Testing for the eAuthentication\n          Application Was Not Performed ................................................................... Page 7\n                    Recommendation 2:.......................................................... Page 8\n\n          Reporting Functionality Will Be Improved in Release 2\n          of the eAuthentication Application ............................................................... Page 8\n                    Recommendation 3:.......................................................... Page 9\n\n          Actual Cost Information Is Not Readily Available for\n          Project Management Purposes ...................................................................... Page 9\n                    Recommendation 4:.......................................................... Page10\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 13\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 14\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 15\n\x0c         While Efforts Are Ongoing to Deploy a Secure Mechanism to\n          Verify Taxpayer Identities, the Public Still Cannot Access\n               Their Tax Account Information Via the Internet\n\n\n\n\n                        Abbreviations\n\nCOR              Contracting Officer Representative\nID               Identification\nIRS              Internal Revenue Service\nIT               Information Technology\nMIRSA            My IRS Account\nRRA 98           Restructuring and Reform Act of 1998\n\x0c                      While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                       Verify Taxpayer Identities, the Public Still Cannot Access\n                            Their Tax Account Information Via the Internet\n\n\n\n\n                                              Background\n\nThe Internal Revenue Service (IRS) Restructuring and Reform Act of 1998 (RRA 98)1 requires\nthe IRS to allow taxpayers to access tax account information online. In addition, other Federal\nmandates, including the Office of Management and Budget Memorandum M-04-04\n(eAuthentication2 Guidance for Federal Agencies) and the President\xe2\x80\x99s National Strategy for\nTrusted Identities in Cyberspace, provide guidance to the IRS for undertaking such an endeavor.\nIn April 2006, the IRS initiated the My IRS Account (MIRSA) project to provide taxpayers with\nan online system to view, access, update, and manage their tax accounts. In December 2008,\nafter 32 months of development and the expenditure of approximately $10 million, the MIRSA\nproject was cancelled due to a lack of an effective enterprise-wide eAuthentication strategy.\nIn its 2009 report,3 the Treasury Inspector General for Tax Administration recommended that the\nIRS complete a long-term strategy for the MIRSA project. As part of the planned corrective\nactions to the MIRSA project, the IRS stated that it would develop a strategic approach that will\nprovide individual taxpayers online access to their transcript information through the primary\nIRS website, IRS.gov, via the Registered User Portal.4 Taxpayers would have the ability to view,\ndownload, and print their transcript information. In August 2010, the IRS completed the \xe2\x80\x9cOnline\nServices Strategic Approach,\xe2\x80\x9d which outlined the IRS\xe2\x80\x99s priorities for online services for\nindividual taxpayers. While the strategic approach has been completed, it is a draft version and\nnot ready for distribution.\nIn conjunction with the Online Services Strategic Approach, the eAuthentication application is a\nnew effort in which the IRS plans to leverage the Registered User Portal authentication and\nregistration processes to provide the desired identity verification services bolstered by selected\ncommercial off-the-shelf software products. The objective of the IRS eAuthentication project is\n\n\n1\n  Restructuring and Reform Act of 1998, Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered\nsections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C.,\nand 49 U.S.C.).\n2\n  eAuthentication is defined as the process of establishing confidence in user identities electronically presented to an\ninformation system. Systems can use the authenticated identity to determine if that individual is authorized to\nperform an electronic transaction. In most cases, the authentication and transaction take place across an open\nnetwork such as the Internet, however in some cases access to the network may be limited and access control\ndecisions may take this into account.\n3\n  Treasury Inspector General for Tax Administration, Ref. No. 2009-20-102, Changing Strategies Led to the\nTermination of the My IRS Account Project 3, (August 2009)\n4\n  A portal is defined as a website that brings information together from diverse sources in a uniform way. Usually,\neach information source gets its dedicated area on the page for displaying information. The Registered User Portal\nis an IRS external portal that allows registered individuals and third-party users to access the IRS for interaction\nwith selected tax processing and other sensitive systems, applications, and data.\n                                                                                                                Page 1\n\x0c                     While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                      Verify Taxpayer Identities, the Public Still Cannot Access\n                           Their Tax Account Information Via the Internet\n\n\n\nto design and build a common service to proof and register individuals and to provide and\nvalidate credentials for ongoing system access using the Internet. The IRS expects that the\neAuthentication project will be an enabling service to other applications that are accessible by\nthe public. The eAuthentication project will not build end-user applications but will provide\ncentralized security mechanisms for applications that are built.\nThe IRS estimated total costs for Release 1 and Release 2 of the eAuthentication application,\nincluding Operations and Maintenance through Fiscal Year 2017, at approximately\n$65.3 million. Release 1 was deployed at a total development cost of about $26.9 million and\nprovided the core infrastructure (hardware and software) upon which subsequent releases are\nbased. Release 2 development costs are estimated at approximately $8.5 million and should\nprovide enhanced identity verification up to multifactor authentication.5 The IRS estimates the\nbase operations and maintenance costs for the eAuthentication application through Release 2 at\napproximately $29.9 million, not including per-transaction costs. A third release of the\neAuthentication application is anticipated; however, no approved cost or schedule is currently\navailable.\nThe responsibility for managing the eAuthentication application and implementing its rollout\nresides with the Information Technology (IT) Cybersecurity organization. The IT Cybersecurity\norganization manages the eAuthentication application by following the Enterprise Life Cycle6\nand is the overall business and program owner. The IRS uses its Transition Management\nprocesses to transfer the daily management of the eAuthentication application to the Enterprise\nOperations organization and other receiving organizations. To ensure the success of information\ntechnology projects, the IRS requires project managers to report to an executive governance\ncommittee for oversight and approval of key decisions. The Security Services and Privacy\nExecutive Steering Committee provides this oversight and conducts Enterprise Life Cycle\nmilestone exit reviews for the eAuthentication application.\nThe rollout of IRS online applications to be protected by the eAuthentication framework is\nshared by the Office of Online Services, the Wage and Investment Division, the Office of\nPrivacy, Governmental Liaison and Disclosure, and IT organizations including Applications\nDevelopment and Cybersecurity. The Office of Online Services, which reports directly to the\nOffice of the Deputy Commissioner for Services and Enforcement, is an IRS-wide group\ndedicated to providing online (web or mobile) self-service tools for the taxpayer.\n\n\n\n\n5\n  Multifactor authentication is defined as a security system in which more than one form of authentication is\nimplemented to verify the legitimacy of a transaction. Multifactor authentication is achieved by combining two or\nthree independent credentials: what the user knows (knowledge-based authentication), what the user has (security\ntoken or smart card) and what the user is (biometric verification).\n6\n  Enterprise Life Cycle is defined as the approach used by IRS to manage and implement business changes through\ninformation systems initiatives.\n                                                                                                          Page 2\n\x0c                  While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                   Verify Taxpayer Identities, the Public Still Cannot Access\n                        Their Tax Account Information Via the Internet\n\n\n\nThis review was performed at the IRS National Headquarters in Washington, D.C., and the IRS\nIT Cybersecurity function and the Office of Online Services in New Carrollton, Maryland,\nduring the period November 2012 through June 2013. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                         Page 3\n\x0c                   While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                    Verify Taxpayer Identities, the Public Still Cannot Access\n                         Their Tax Account Information Via the Internet\n\n\n\n\n                                 Results of Review\n\nApplications Were Created to Increase Online Taxpayer Functionality;\nHowever, These Applications Do Not Meet the Criteria of the\nRestructuring and Reform Act of 1998\nThe RRA 98 required the IRS to develop procedures to allow taxpayers filing returns\nelectronically to review their account online by December 31, 2006. The IRS did not meet this\nrequirement, and we determined that the IRS has not made adequate progress in allowing\ntaxpayers to access tax accounts. Currently, taxpayers cannot review account information\nelectronically. The IRS Oversight Board is aware that a disparity exists between what is required\nby Congress and the amount of Internet accessibility currently available to taxpayers. In\nApril 2012, the Oversight Board requested that the Treasury Inspector General for Tax\nAdministration audit the IRS\xe2\x80\x99s progress to provide taxpayers with the ability to review tax\naccount records and report any findings. The eTranscripts for Banks application does not meet\nthe intent of the RRA 98 because it only allows taxpayers to request that their tax account and\ntax return transcripts be sent to their lending institution electronically versus a hardcopy request.\nIt does not provide the ability to view, print, or perform any other functions.\nWe believe that IRS leadership did not prioritize the applications that meet the requirements of\nthe RRA 98. Rather, the IRS devoted resources to the development and implementation of\nseveral applications that do not meet the intent of the RRA 98. These are the eTranscripts for\nBanks, Where\xe2\x80\x99s My Refund?, and Where\xe2\x80\x99s My Amended Return? applications. The\neTranscripts for Banks application, which was deployed in August 2012, allows taxpayers to\nrequest that a tax transcript be sent to a lending institution electronically. The Where\xe2\x80\x99s My\nRefund? application allows taxpayers to track the status of their refund. This application,\noriginally deployed in 2002, was called the Internet Refund Fact of Filing application, and was\nredeployed with enhancements in January 2013. The Where\xe2\x80\x99s My Amended Return? application\nallows taxpayers to track the status of an amended return and was deployed in March 2013.\nWhile the applications do not directly address the requirements of account review, the\napplications do provide ancillary benefits to taxpayers.\nThe IRS online Get Transcript application is expected to be the first application to meet the\nintent of the RRA 98. The Get Transcript application will allow taxpayers to access their tax\naccount information via the Internet. Through discussions with Get Transcript application\npersonnel, we were informed that the application is expected to be deployed in January 2014.\n\n\n\n\n                                                                                              Page 4\n\x0c                   While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                    Verify Taxpayer Identities, the Public Still Cannot Access\n                         Their Tax Account Information Via the Internet\n\n\n\nIn its April 2013 report, the Government Accountability Office7 stated that while the IRS\xe2\x80\x99s\nefforts have already benefited taxpayers and hold the promise of additional benefits in the future,\nthe IRS does not have a long-term strategy for enhancing its website that explains how its\nongoing and new efforts fit together. No overall cost estimate exists, and there are not enough\ndetails on goals, deliverables, future online services, and time frames to be able to assess\nprogress.\nBecause the deadlines proposed in the RRA 98 were not met, taxpayers\xe2\x80\x99 ability to electronically\nfulfill their tax responsibilities and review their tax account information using the Internet is\ndiminished. In addition, there is an increased burden on IRS customer service representatives\nanswering taxpayer\xe2\x80\x99s calls and questions for transcript requests by not implementing an online\napplication that is RRA 98 compliant.\n\nRecommendation\nRecommendation 1: The Office of the Deputy Commissioner for Services and Enforcement\nshould reprioritize future applications to meet the RRA 98 requirements on or before\nJanuary 2014. The prioritization will need to be coordinated with the IT organization.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS has\n        prioritized future applications based on internal and external stakeholder needs, information\n        technology constraints and safeguards, and requirements such as RRA 98. The Get\n        Transcript application is scheduled to launch in January 2014 and will give taxpayers the\n        ability to view, print and download their tax transcripts. The IRS also plans to increase\n        interactive capabilities and identify additional features associated with an account. Using\n        available resources cost effectively, the IRS will prioritize the rollout of features by\n        delivering the most impactful capabilities first.\n\nRelease 1 of the eAuthentication Application Was Successfully\nDeployed in Fiscal Year 2012\nThe E-Government Act of 20028 requires Government agencies to increase their presence on the\nInternet. The purpose of the act is \xe2\x80\x9cto promote use of the Internet and other information\ntechnologies to provide increased opportunities for citizen participation in Government\xe2\x80\x9d and \xe2\x80\x9cto\npromote the use of the Internet and emerging technologies within and across Government\nagencies to provide citizen-centric Government information and services.\xe2\x80\x9d Additionally, the\nRRA 98 requires the IRS to develop procedures under which taxpayers filing returns\n\n\n\n7\n  Government Accountability Office, GAO-13-435, IRS WEBSITE: Long-Term Strategy Needed to Improve\nInteractive Services (Apr. 2013).\n8\n  E-Government Act of 2002, Pub.L. 107\xe2\x80\x93347, 116 Stat. 2899, 44 U.S.C. \xc2\xa7 101, H.R. 2458/S. 803\n                                                                                                    Page 5\n\x0c                      While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                       Verify Taxpayer Identities, the Public Still Cannot Access\n                            Their Tax Account Information Via the Internet\n\n\n\nelectronically would be able to review their accounts electronically. The eAuthentication\napplication is essentially the first step for the IRS to meet these legislative requirements.\nIn Fiscal Year 2012, the IRS developed the first release of an enterprise solution for\nauthenticating taxpayers via the Internet through its eAuthentication application. The main\nfunction of the eAuthentication application is to provide a uniform way taxpayers can\nauthenticate9 themselves to the IRS before accessing any of the IRS\xe2\x80\x99s online applications.\nTaxpayers create an account with a user identification (ID) and password which is then used to\nauthenticate to the applications that use the eAuthentication application. To create an account, a\ntaxpayer must provide some basic information about themselves such as name, address, date of\nbirth, Social Security Number or other Taxpayer Identification Number, and filing status. The\nIRS uses the attributes to verify the identity of the taxpayer. Once the taxpayer\xe2\x80\x99s identity has\nbeen verified, they are allowed to create an eAuthentication account.\nIn August 2012, the first application to use the eAuthentication application was deployed,\neTranscripts for Banks. The successful deployment of Release 1 of the eAuthentication\napplication is due to the coordinated efforts across the IRS organization. The Cybersecurity\norganization led the effort and coordinated with the Applications Development organization on\nthe eAuthentication application and the deployment of eTranscripts for Banks as the first\nprojected application. The Office of Online Services coordinated the implementation of the\neAuthentication application with the eTranscripts for Banks application by establishing and\nmanaging a proof of concept with banking partners to validate the concept of online identity\nproofing and authentication.\nThe eTranscripts for Banks application allows taxpayers to request that tax transcripts be sent to\ntheir lending institution online. Currently, there are three lending institutions that are enrolled to\nuse the eTranscripts for Banks application, and others are expected to use the application as well.\nRelease 2 of the eAuthentication application was formally started on October 24, 2012. Release\n2 is expected to provide additional functionality and security and should allow more applications\nto use the eAuthentication application for identity proofing. As more applications use the\neAuthentication application, the taxpayer experience online should be expanded.\nDespite the successful deployment of Release 1 of the eAuthentication application, we identified\nsome areas of concern and improvement that will contribute to further successes in future\nreleases of the eAuthentication application.\n\n\n\n\n9\n  Authentication is the process of determining whether someone or something is, in fact, who or what it is declared\nto be. In private and public computer networks (including the Internet), authentication is commonly done through\nthe use of logon passwords.\n                                                                                                             Page 6\n\x0c                  While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                   Verify Taxpayer Identities, the Public Still Cannot Access\n                        Their Tax Account Information Via the Internet\n\n\n\nComplete Capacity Testing for the eAuthentication Application Was\nNot Performed\nThe Internal Revenue Manual states that capacity testing is a required part of system integration\ntesting. The purpose of capacity testing is to determine if the application can support the\nexpected number of users authenticating at any given time.\nWe determined that the IRS eAuthentication project team did not perform complete capacity\ntesting on Release 1 of the eAuthentication application. Without capacity testing, the IRS does\nnot know how many users can access the eAuthentication application at once before it fails. The\nIRS estimated a total of 30,000 users would register to use the eAuthentication application to\naccess the eTranscripts for Banks application between August 2012 and November 2012.\nHowever, the IRS reported that a total of 96 users requested to use the eAuthentication\napplication in that time period, and only 52 of the 96 users were successful in using the\neAuthentication application.\nCapacity testing of the eAuthentication application was not fully performed due to instability of\nthe IRS information technology Development, Integration and Testing infrastructure, concerns\nover the security of data in the testing environment, and scheduling delays caused by technical\nissues in the eAuthentication application servers. Because of this, full scope capacity testing\ncould not be completed. Also, the test environment that would be used to conduct capacity\ntesting is shared by other testing organizations. Therefore, it would be impossible to secure the\nenvironment and adequately protect the Personally Identifiable Information that would be\ncontained in the test data. Finally, the project team experienced technical difficulties that took\nlonger than expected to resolve. Due to these difficulties, management decided to move forward\nwith the project rather than delay implementation of the project.\nWithout performing adequate capacity testing, the IRS is unable to verify that the\neAuthentication application will function as intended. The system could become unresponsive\nand make it impossible for taxpayers to access any application that relies upon the\neAuthentication application as the means to authenticate taxpayer identities. As the enterprise\nwide solution for authentication, this lack of capacity testing could have far-reaching\nimplications. Any application using the eAuthentication application for identity proofing could\nbe taken offline due to bandwidth restrictions, thus making any IRS online application\ninaccessible via the Internet to taxpayers.\nThe IRS has seen dramatic increases in the number of taxpayers who have attempted to access\ntheir information via the IRS website, IRS.gov. The Where\xe2\x80\x99s My Refund? application on\nIRS.gov had 79 million attempted accesses by taxpayers in the 2011 Filing Season, 140 million\nattempts in the 2012 Filing Season, and 218 million attempted accesses in the 2013 Filing\nSeason. If the IRS expects a similar response by taxpayers to the applications that will be\nsupported by Release 2 of the eAuthentication application, it is imperative that the IRS perform\n\n                                                                                           Page 7\n\x0c                  While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                   Verify Taxpayer Identities, the Public Still Cannot Access\n                        Their Tax Account Information Via the Internet\n\n\n\ncapacity testing prior to its release. Through discussions with the eAuthentication project team,\nwe noted capacity testing has been included as part of the testing and verification portfolio for\nRelease 2 of the eAuthentication application.\n\nRecommendation\nRecommendation 2: The Associate Chief Information Officer, Cybersecurity, should ensure\nthat capacity testing is adequately performed for the eAuthentication application prior to Release\n2 being deployed.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       eAuthentication Release 2 project, as already planned, includes performance and capacity\n       testing as part of its Release 2 go-Live activities.\n\nReporting Functionality Will Be Improved in Release 2 of the\neAuthentication Application\nThe National Institute of Standards and Technology Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems and Organizations, states that an organization\nshould review and analyze information system audit records for indications of inappropriate or\nunusual activity and report findings to designated organizational officials. It also states that an\ninformation system should provide an audit report generation capability that provides support for\nnear real-time audit review, analysis, and reporting requirements and after-the-fact investigations\nof security incidents.\nWe determined that Release 1 of the eAuthentication application has limited reporting\nfunctionality. While actions taken by users within the eAuthentication application are identified\nby user ID, these actions are not associated to a user\xe2\x80\x99s actual name and, therefore, cannot be\nassociated to a specific taxpayer. Also, the user information captured by the application may\ncontain Personally Identifiable Information and, therefore, must be encrypted when it is stored\non the server. However, the IRS does not have a mechanism to make the encrypted data\nreadable. The IRS does have an Enterprise Security Audit Trail that has the ability to log\nauditable events for each taxpayer transaction that does track the individual with their Social\nSecurity Number. These transactions are available for designated security and audit individuals\nbut not generally available for management review.\nFor Release 2 of the eAuthentication application, the project team plans to use the internal\nBusiness Objects Enterprise shared services infrastructure, which uses SAP Business Objects\nsuite of products, to meet reporting requirements. The Business Objects Enterprise capability\nshould enable the project team to provide stakeholders access to more useful reports for both\ncustomer usage reporting and process effectiveness purposes.\n\n\n                                                                                            Page 8\n\x0c                  While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                   Verify Taxpayer Identities, the Public Still Cannot Access\n                        Their Tax Account Information Via the Internet\n\n\n\nWithout adequate reporting functionality, the IRS is able to see minimal details about taxpayers\nusing the eAuthentication application. The expanded reporting functionality should provide the\nIRS with application specific reports, taxpayer account reports, and system infrastructure reports.\n\nRecommendation\nRecommendation 3: The Associate Chief Information Officer, Cybersecurity, should\ncontinue the efforts to acquire appropriate software to enable additional reporting functionality.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       eAuthentication Release 2 project, as already planned, includes integration with the existing\n       IRS internal Business Objects Enterprise capability to enable broad management information\n       system reporting. This will allow the project to configure the system to produce the\n       following business approved reports, such as application specific reports, taxpayer account\n       reports and system infrastructure reports.\n\nActual Cost Information Is Not Readily Available for Project\nManagement Purposes\xc2\xa0\nThe Cybersecurity organization requires its projects to be tracked, monitoring baselines and\nactual project costs on a monthly basis using the Cybersecurity Project Lifecycle Cost\nPerformance Table. This information is used to report project cost information to the various\ngovernance boards. Additionally, the Cybersecurity organization required the project managers\nto debrief management on the project baselines as it relates to scope, cost, and Enterprise Life\nCycle schedule within the months of December 2012 through March 2013. This debrief ensures\nthat the projects are able to provide realistic information for assessment.\nWe determined that actual cost information is not readily available for eAuthentication project\nmanagement. We were informed that the project office has no formal system to obtain actual\ncosts. The project manager uses a less formal approach (e.g., calling people or manually\ntracking expenses) to obtain actual cost information.\nThe IRS has not implemented a system to provide project managers with timely, accurate project\ncost information. Contracting Officer Representatives (COR), who have been delegated\nresponsibility for approving invoices and monitoring contractor payments, did not provide the\nCybersecurity eAuthentication project manager information on invoices they approved for\ncontracts used by the eAuthentication project on a monthly or any other basis.\nDue to the informal nature of the process used, the cost information the project manager obtains\nand ultimately reports to Cybersecurity organization executive management are estimates and\nmay be inaccurate and unreliable. Executive management should be given the best information\npossible when making key resource decisions.\n\n\n                                                                                             Page 9\n\x0c                   While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                    Verify Taxpayer Identities, the Public Still Cannot Access\n                         Their Tax Account Information Via the Internet\n\n\n\nRecommendation\nRecommendation 4: The Chief Technology Officer and Chief, Agency-Wide Shared\nServices, should coordinate to develop a formal system to provide reports of actual costs\nreceived and accepted by CORs.\n       Management\xe2\x80\x99s Response: While the IRS agreed with the spirit and intent of this\n       recommendation, it does not agree with the finding, which was based on an isolated example\n       of a single COR managing project cost. All Receipt and Acceptance transactions are done\n       within the Integrated Procurement System. A reports module, accessible by all CORs, allows\n       the COR to track Receipt and Acceptance transactions completed for each project. This\n       standard business practice is already being followed at the IRS; thus, no further action is\n       needed.\n       Office of Audit Comment: During our audit, the Cybersecurity eAuthentication project\n       manager was not able to provide us with actual cost information for the eAuthentication\n       project. Subsequent discussions yielded that the Integrated Procurement System itself cannot\n       track sufficient details to project cost levels for contracts that serve multiple projects, such as\n       the eAuthentication project. As such, we believe this is not an isolated occurrence and needs\n       to be addressed to ensure actual project costs can be readily identified and tracked for\n       management and decision-making purposes.\n\n\n\n\n                                                                                                 Page 10\n\x0c                  While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                   Verify Taxpayer Identities, the Public Still Cannot Access\n                        Their Tax Account Information Via the Internet\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nOur overall objective was to assess the development and implementation of an effective\neAuthentication solution for taxpayers to access their tax information. To accomplish our\nobjective, we:\nI.     Evaluated security testing and capacity testing to determine whether National Institute of\n       Standards and Technology Special Publication 800-53 security controls, capacity limits,\n       and the Internal Revenue Manual password policies over the eAuthentication application\n       are operating effectively.\n       A. Determined whether the IRS properly conducted performance/capacity testing for the\n          eAuthentication application.\n       B. Obtained and reviewed documentation related to the security risk assessment for the\n          eAuthentication application and assessed selected National Institute of Standards and\n          Technology Special Publication 800-53 controls.\nII.    Determined whether only appropriate users have the ability to authenticate with the\n       eAuthentication application, per the National Institute of Standards and Technology\n       Special Publication 800-63.\n       A. Determine whether only appropriate users have the ability to authenticate with the\n          eAuthentication application. User populations were not obtainable and, therefore, no\n          sample was taken.\n       B. Determined through online observation/testing whether users are authenticated to the\n          eAuthentication application using the following attributes: name, Social Security\n          Number or other Taxpayer Identification Number, date of birth, address, and filing\n          status.\nIII.   Determined the status of expanding the eAuthentication application to additional online\n       applications and expanding the eTranscripts for Banks application to additional banks.\n       A. Interviewed the eAuthentication project manager and Applications Development\n          organization officials to determine their roles and responsibilities in the deployment\n          of the eAuthentication application and the current plans and schedule to roll out the\n          eAuthentication application to additional online applications and the eTranscripts for\n          Banks application to additional banks.\n       B. Interviewed Office of Online Services personnel, including the business project\n          manager, to determine their roles and responsibilities in the deployment of the\n                                                                                          Page 11\n\x0c                      While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                       Verify Taxpayer Identities, the Public Still Cannot Access\n                            Their Tax Account Information Via the Internet\n\n\n\n             eAuthentication application, and the current plans and schedule to roll out the\n             eAuthentication application to additional online applications and to additional banks.\n        C. Determined how the eTranscripts for Banks application with Chase Bank works and\n           where communication with Chase Bank occurs within the eAuthentication\n           application.\n        D. Determined whether the current eTranscripts for Banks application meets the intent of\n           RRA 981 and the E-Government Act of 20022 requirements.\nIV.     Determined costs for the full deployment of the eAuthentication application.\n        A. Obtained total costs to date by fiscal year for the eAuthentication application from the\n           eAuthentication project manager or other responsible IRS officials.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the plans, policies, and processes of the\nIRS Cybersecurity, Applications Development, Office of Online Services, and Procurement\norganizations to manage, monitor, and report on the status and progress of efforts to provide\ntaxpayers with secure online access to their tax account information. We evaluated these\ncontrols by conducting interviews and meetings with management and staff, performing\nindependent analysis of controls in place, and reviewing documentation such as standard\noperating procedures, meeting minutes, and Enterprise Life Cycle artifacts.\n\n\n\n\n1\n  Restructuring and Reform Act of 1998, Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered\nsections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C.,\nand 49 U.S.C.).\n2\n  E-Government Act of 2002, Pub.L. 107\xe2\x80\x93347, 116 Stat. 2899, 44 U.S.C. \xc2\xa7 101, H.R. 2458/S. 803.\n                                                                                                           Page 12\n\x0c                 While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                  Verify Taxpayer Identities, the Public Still Cannot Access\n                       Their Tax Account Information Via the Internet\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nMyron Gulley, Acting Audit Manager\nW. Allen Gray, Audit Manager\nCharles O. Ekunwe, Lead Auditor\nSamuel C. Mettauer, Information Technology Auditor\nLinda Nethery, Information Technology Auditor\nLarry Reimer, Information Technology Auditor\n\n\n\n\n                                                                                     Page 13\n\x0c                While Efforts Are Ongoing to Deploy a Secure Mechanism to\n                 Verify Taxpayer Identities, the Public Still Cannot Access\n                      Their Tax Account Information Via the Internet\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nChief, Agency-Wide Shared Services OS:A\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nDirector, Office of Research, Analysis and Statistics RAS\nChief, Criminal Investigations SE:CI\nDirector, Statistics of Income RAS:S\nHuman Capital Officer OS:HC\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 14\n\x0c     While Efforts Are Ongoing to Deploy a Secure Mechanism to\n      Verify Taxpayer Identities, the Public Still Cannot Access\n           Their Tax Account Information Via the Internet\n\n\n\n                                                     Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                             Page 15\n\x0cWhile Efforts Are Ongoing to Deploy a Secure Mechanism to\n Verify Taxpayer Identities, the Public Still Cannot Access\n      Their Tax Account Information Via the Internet\n\n\n\n\n                                                        Page 16\n\x0cWhile Efforts Are Ongoing to Deploy a Secure Mechanism to\n Verify Taxpayer Identities, the Public Still Cannot Access\n      Their Tax Account Information Via the Internet\n\n\n\n\n                                                        Page 17\n\x0cWhile Efforts Are Ongoing to Deploy a Secure Mechanism to\n Verify Taxpayer Identities, the Public Still Cannot Access\n      Their Tax Account Information Via the Internet\n\n\n\n\n                                                        Page 18\n\x0c'